Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites

Phil Lello <phil@dunlop-lello.uk> Mon, 04 April 2016 17:46 UTC

MIME-Version: 1.0
In-Reply-To: <1c1246d3be495728863f1633691e4a53.squirrel@www.trepanning.net>
References: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com> <56FD2A0A.1050607@gmx.net> <56FD4A42.2080100@akamai.com> <56FD4E32.5060409@gmx.net> <56FD55E3.9060605@akamai.com> <56FD599D.2040206@gmx.net> <56FD5B00.3090007@akamai.com> <ca13e48abd8042c38bc2116bd5574f85@usma1ex-dag1mb1.msg.corp.akamai.com> <56FD5CFC.8090508@gmx.net> <9ed6f4205baf4602857b3c4539fc1941@usma1ex-dag1mb1.msg.corp.akamai.com> <56FD610F.10301@gmx.net> <56FD63B0.2070205@cs.tcd.ie> <1640361f86795f7c3117d9c25be91a72.squirrel@www.trepanning.net> <CACsn0cmM+YTkPKf-nbqgyq=GdG=8M7i+Jq1a-kx77C9CbWCwqg@mail.gmail.com> <fa7284ff7f22aa724fbdc7122707c0e3.squirrel@www.trepanning.net> <CAPofZaGYpMEiJGz=kFJwfYGPJ433JhcEhLzBky9pi+0RwceeqQ@mail.gmail.com> <1c1246d3be495728863f1633691e4a53.squirrel@www.trepanning.net>
Date: Mon, 04 Apr 2016 18:46:12 +0100
Message-ID: <CAPofZaH+S3vpUC_XD4WGKfzJRUULdG3P0b=MKtoTqU-iq+qg2w@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="001a114111bc01231d052fac4e3f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3nYtcMFetjJrmpoTGYIEi7lYZhM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites
Precedence: list

>
> >> Usually what happens is the server generates a self-signed certificate
> >> and the apps are given some "username" and "password" and the app
> >> ignores the unauthenticated nature of the TLS connection and sends
> >> the u/p credential on through.
> >
> > Isn't this use case more of an argument for an updated auth-digest to use
> > something better than MD5? I'm not convinced MITM is a real concern for a
> > typical IoT environment (however that's defined - I'm assuming http in a
> > domestic environment).
>
>   First of all, what makes you think it's MD5 digest and not just
> plaintext? And updated by whom? These are ad hoc constructions done
> because the alternative is too onerous.
>

I didn't say that. I was suggesting using a standard HTTP digest mechanism
rather than sending a plaintext username/password. The IETF has already
updated HTTP digest, so there's no work.

>
>   As someone who has stolen wi-fi from the apt next door that was
> protected by a PSK I would say that doing a dictionary attack in
> a "domestic environment" is entirely plausible. If I have to do a
> soft AP advertising the neighbor's SSID in order to lure a set-top
> box or thermostat or whatever to connect to me then that's a very
> low bar.
>

Whilst you have my sympathy, I don't see how that's relevant; a dictionary
attack can be used just as easily against a TLS protected resource.
Securing the WiFi configuration so that devices connect to the correct one
is not a TLS issue.

Best wishes,

Phil Lello

[TLS] call for consensus: changes to IANA registr… Sean Turner
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Yoav Nir
Re: [TLS] call for consensus: changes to IANA reg… Daniel Kahn Gillmor
Re: [TLS] call for consensus: changes to IANA reg… Dmitry Belyavsky
Re: [TLS] call for consensus: changes to IANA reg… Henrick Hellström
Re: [TLS] call for consensus: changes to IANA reg… Benjamin Kaduk
Re: [TLS] call for consensus: changes to IANA reg… Eric Rescorla
Re: [TLS] call for consensus: changes to IANA reg… Henrick Hellström
Re: [TLS] call for consensus: changes to IANA reg… Daniel Kahn Gillmor
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Yoav Nir
Re: [TLS] call for consensus: changes to IANA reg… Sean Turner
Re: [TLS] call for consensus: changes to IANA reg… Sean Turner
Re: [TLS] call for consensus: changes to IANA reg… Ilari Liusvaara
Re: [TLS] call for consensus: changes to IANA reg… Daniel Kahn Gillmor
Re: [TLS] call for consensus: changes to IANA reg… Yoav Nir
Re: [TLS] call for consensus: changes to IANA reg… Dave Garrett
Re: [TLS] call for consensus: changes to IANA reg… Benjamin Kaduk
Re: [TLS] call for consensus: changes to IANA reg… Bill Frantz
Re: [TLS] call for consensus: changes to IANA reg… Rick van Rein
Re: [TLS] call for consensus: changes to IANA reg… Stephen Farrell
Re: [TLS] call for consensus: changes to IANA reg… Eric Rescorla
Re: [TLS] call for consensus: changes to IANA reg… Stephen Farrell
Re: [TLS] call for consensus: changes to IANA reg… Martin Thomson
Re: [TLS] call for consensus: changes to IANA reg… Rick van Rein
Re: [TLS] call for consensus: changes to IANA reg… Hannes Tschofenig
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Dang, Quynh (Fed)
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Benjamin Kaduk
Re: [TLS] call for consensus: changes to IANA reg… Hannes Tschofenig
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Benjamin Kaduk
Re: [TLS] call for consensus: changes to IANA reg… Hannes Tschofenig
Re: [TLS] call for consensus: changes to IANA reg… Benjamin Kaduk
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Eric Rescorla
Re: [TLS] call for consensus: changes to IANA reg… Hannes Tschofenig
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Hannes Tschofenig
Re: [TLS] call for consensus: changes to IANA reg… Eric Rescorla
Re: [TLS] call for consensus: changes to IANA reg… Stephen Farrell
Re: [TLS] call for consensus: changes to IANA reg… Rick van Rein
Re: [TLS] call for consensus: changes to IANA reg… Andrei Popov
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Watson Ladd
Re: [TLS] call for consensus: changes to IANA reg… Salz, Rich
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Peter Gutmann
Re: [TLS] call for consensus: changes to IANA reg… Watson Ladd
Re: [TLS] call for consensus: changes to IANA reg… Peter Gutmann
Re: [TLS] call for consensus: changes to IANA reg… Phil Lello
Re: [TLS] call for consensus: changes to IANA reg… Kaduk, Ben
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Phil Lello
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Adam Langley
Re: [TLS] call for consensus: changes to IANA reg… Peter Gutmann
Re: [TLS] call for consensus: changes to IANA reg… Adam Langley
Re: [TLS] call for consensus: changes to IANA reg… Dan Harkins
Re: [TLS] call for consensus: changes to IANA reg… Aaron Zauner
Re: [TLS] call for consensus: changes to IANA reg… Sean Turner
Re: [TLS] call for consensus: changes to IANA reg… Dang, Quynh (Fed)
Re: [TLS] call for consensus: changes to IANA reg… Sean Turner